Activity Menu

Search form

Main navigation

Breadcrumb

UN privacy report a game-changer in fighting unlawful surveillance

Wednesday, July 16, 2014

Today’s report on the right to privacy in the digital age by the UN High Commissioner on Human Rights, commissioned by the General Assembly in December 2013, marks an historic turning point in the international discourse around privacy and surveillance.

Privacy International believes the report will dramatically change the international conversation on the implications of surveillance and intelligence for human rights. Most importantly, it puts beyond doubt that the very existence of mass surveillance programmes – which the report notes are becoming a “dangerous habit” – interfere with human rights.

Not only is the report the most significant elaboration of the interpretation of the right to privacy issued by the UN in more than 25 years, it makes a number of ground-breaking findings that propel the fight against unlawful surveillance miles ahead. The High Commissioner uses consistently robust and clear language to issue the strongest condemnation of modern surveillance techniques that any international authority has appropriated to date.

Below, we analyse the five major findings of the report that we believe will fundamentally transform the debate around surveillance, intelligence and the right to privacy.

1. Bulk collection/mass surveillance interferes with the right to privacy, regardless of whether the data is used

The High Commissioner’s report makes official recognition of the types of mass surveillance and bulk collection techniques employed by States across the globe, such as the tapping of fibre-optic cables, compelled disclosure of bulk information by internet services, and mass recording and retention of phone records.

The report declares that “the very existence of a mass surveillance programme… creates an interference with privacy.” Even if mass or bulk surveillance programmes serve a legitimate aim and have been approved on the basis of an accessible legal regime, says the report, they may be deemed to be arbitrary by virtue of their disproportionate impact upon privacy rights.

The High Commissioner notes that, on this analysis, the justification of needing to look for needles in a haystack is not legitimate; the focus should be on what the implications of the surveillance are on the haystack.

The High Commissioner makes the important finding that the distinction between communications content and data is no longer persuasive, hopefully putting to bed once and for all arguments that privacy protections should be attenuated depending on whether surveillance captures content or metadata.

The report rightly calls mandatory data retention what it really is – part of a State’s surveillance regime – and declares that it appears neither necessary or proportionate sufficient for it to comply with human rights law. Although this finding rides the wave of anti-data retention sentiment that has been building since the Court of Justice of the European Union found the EU Data Retention Directive to be in violation of human rights law, the fact that the High Commissioner has added her voice to those condemning mandatory data retention will no doubt prove to be critical as States such as the United Kingdom and Australia seek to revive the practice in the weeks and months ahead.

3. Intelligence sharing regimes may run afoul of human rights law

The High Commissioner’s report provides some of the most robust and strongly-worded analysis of any international or regional human rights authority to date on the relationship between intelligence arrangements and human rights.

She begins by striking to the heart of the Five Eyes surveillance alliance by declaring that “secret rules and secret interpretations – even secret judicial interpretations – of law do not have the necessary qualities of law.” Neither, the High Commissioner says, do laws or rules that give the executive authorities, such as security and intelligence services, excessive discretion. The report thus seriously undermines the legal frameworks relied upon by the UK and US to attempt to justify their surveillance practices as lawful.

In analysing intelligence-sharing relationships the report makes a damning finding for the Five Eyes, noting that there is “credible information to suggest that some Governments systematically have routed data collection and analytical tasks through jurisdictions with weaker safeguards for privacy,” operating a “transnational network of intelligence agencies through interlocking legal loopholes” designed to “outflank the protections of domestic legal regimes.” Intelligence sharing arrangements arguably fail the test of lawfulness, says the report, because individuals are unable to foresee when they might be affected by surveillance at home or abroad.

The High Commissioner also makes the novel suggestion – put forward by civil society, but so far ignored by States – that governments have a positive obligation to protect their own populations from surveillance by foreign entities, be they private or public. This finding has serious implications for governments of the Five Eyes who were well aware of – and complicit in – the vast surveillance activities of their fellow alliance members.

4. Any action by a State to interfere with digital communications engages their human rights obligations, no matter where it occurs

The report takes to task States’ malicious manipulation of interpretations of international law that are designed to avoid human rights responsibilities in relation to surveillance and which “create structural incentives for States to outsource surveillance to each other.”

In addressing the question of jurisdiction, the High Commissioner makes the finding that digital surveillance “may engage a State’s human rights obligations if that surveillance involves the State’s exercise of power or effective control in relation to digital communications infrastructure, wherever found, for example, through direct tapping or penetration of that infrastructure… If a country seeks to assert jurisdiction over the data of private companies as a result of the incorporation of those companies in that country, then human rights protections must be extended to those whose privacy is being interfered with, whether in the country of incorporation or beyond.”

While completely supported by human rights law, this interpretation of jurisdiction is a game-changer given the strong terms in which it is put by the UN It expands the effective control doctrine and thus the extra-territorial reach of human rights obligations, recognizing that that it is effective control over infrastructure, rather than narrowly over individuals, that imports human rights responsibilities. If a State has control over an undersea cable or over a company residing in its jurisdiction, it has human rights obligations with respect to the communications passing through those cables or handled by that company. Those obligations extend to all individuals whose communications flow through that infrastructure, no matter their location or nationality.

Such an understanding of jurisdiction is an innovative application of long-standing human rights principles to a modern human rights issue, namely the ability of States to violate the human rights of individuals far from their jurisdiction or territory. It represents a monumental leap forward in the debate about how States are obliged to respect and protect the right to privacy, both for citizens and foreigners alike.

5. The corporate sector plays a critical role in facilitating surveillance, and must play a greater role in protecting privacy

It notes the concerning degree of control exercised by governments over the private sector, with particular reference to the imposition of requirements to alter infrastructure to install backdoors and other interception capabilities. The High Commissioner also observes the degree to which States lean on communications providers to provide user data. In such circumstances, enterprises should “[interpret] government demands as narrowly as possible, [seek] clarification from a Government with regard to the scope and legal foundation for the demand, [require] a court order before meeting government requests for data, and [communicate] transparently with users about risks and compliance with government demands.”

We are a small and fiercely independent charity that picks big fights with companies and governments that attack your privacy, dignity, and freedom. Our independence means we never accept funds from industry and governments that limit our ability to criticise those same institutions who abuse your privacy, dignity, and freedom.